Just as with every other step along the way, you need to document any forensic software used during the examination. You should record its version and use it in accordance with the vendor’s licensing agreement. The software you use should be properly tested and validated for forensic use. Several papers are available that document NIST and Department of Justice testing of various tools. You can find these papers on the NIST Web site at http://www.cftt.nist.gov/ and the Department of Justice’s Office of Justice Programs Web site at http://www.ojp.usdoj.gov.
You also need to document all standard procedures and processes that you use, as well as any variations to or deviations from standard procedures. To analyze any system reliably, you must use unmodified, authentic tools. Remember, you should be prepared to testify to the authenticity and reliability of the tools that you use.
Be sure you have the proper tools to perform your investigation, including programs to collect evidence and perform forensic exams. Your set of tools should include the following:
- Programs for examining processes and services running
- Programs for examining the system state
- Scripts or programs to automate evidence collection
- A program for doing bit-to-bit copies
- Programs for generating checksums to verify the image
Your tools should be on read-only media, such as a CD-R. In addition, make sure to have a set of tools for every operating system.
Forensic tools come in many different shapes and sizes. Besides programs and scripts of capturing data, there are handheld forensic imaging tools such as the Image MASSter Solo 4 shown previously in this chapter. The successful use of forensic tools stems from being able to identify which are the most appropriate for your environment and becoming familiar with them before the need for an investigation arises.
Utilities
dd utility
Copy and convert utility. Originally included with most versions of UNIX and Linux, versions now exist for Windows as well.
The dd utility is one of the original UNIX utilities; it’s now used in Linux and Windows as well. It has been around since the 1970s and is probably in every forensic investigator’s tool box. The free dd utility can make exact copies of disks suitable for forensic analysis, and it can be used as a means to build an evidence file.
ASCII
American Standard Code for Information Interchange. A single-byte character encoding scheme used for text-based data.
EBCDIC
Extended Binary Coded Decimal Interchange Code. A character encoding set used by IBM mainframes. Most computer systems use a variant of ASCII, but IBM mainframes and midrange systems, such as the AS/400, use this character set primarily designed for ease of use on punched cards.
Because dd is a command-line tool, it requires a sound knowledge of UNIX/Linux and Windows command-line syntax to be used properly. You can use dd to copy and convert magnetic tape formats, convert between ASCII and EBCDIC, swap bytes, and force to uppercase and lowercase. Modified versions of dd intended specifically for forensic use are also available. The dd copy command supports special flags that make it suitable for copying devices such as tapes.
WinHex is a universal hexadecimal editor for Windows 95/98/Me/NT/2000/XP. WinHex has minimal system requirements, operates very fast, and consumes little memory. It is an advanced tool for inspecting and editing various types of files, and recovering deleted files or lost data from hard drives or from digital camera cards. The disk and memory imaging features include:
- Disk editor for both logical and physical disks, including hard disks, floppy disks, CD-ROM, DVD, Zip disks, and Compact Flash
- Supports FAT16, FAT32, NTFS, and CDFS file systems
- RAM editor used to edit other processes’ virtual memory
- Disk cloning
- Drive images that can be compressed or split into 650 MB archives
Grave-Robber is part of The Coroner’s Toolkit (TCT), a set of tools used for collecting and analyzing forensic data on a UNIX system. Grave-Robber is a program that controls a number of other tools, all of which work to capture as much information as possible about a potentially compromised system and its files. Grave-Robber collects evidence in an automated way. It gathers data in the following order:
1. Memory
2. Unallocated file system
3. Netstat, ARP, route
4. Process data
5. Statistics and MD5 on all files and strings on directories
6. Configurations and logs
Courts often accept evidence collected by tools that have been used in past trials. Tools such as The Coroner’s Toolkit and commercially available forensic software are significant because the data collected by these tools is trusted and can be used as evidence.
Incident Response Collection Report (IRCR) is similar to TCT. The program is a collection of tools that gathers and analyzes forensic data on Windows systems. Like TCT, most of the tools within IRCR are oriented toward data collection rather than analysis. IRCR is simple enough that anyone can run the program and forward the output to a forensic investigator for further analysis.
Commercial Software
You should evaluate the following commercial software for your forensic needs:
Access Data’s FTK Imager lets you take a snapshot of the entire disk drive and then copies every bit for analysis. The Forensic Toolkit (FTK) allows you to analyze the images made using the FTK Imager. These tools assist the forensic examiner in conducting a complete and thorough computer forensic examination of computer disk drives. Supported file systems include FAT 12/16/32, NTFS, NTFS compressed, and Linux ext2 and ext3. Like EnCase, it is a full suite of forensic applications.
EnCase is a commercial software package that enables an investigator to image and examine data from hard disks, removable media, and some PDAs. It enables examiners to acquire and analyze volatile data and image drives, verify the copy is exact using MD5 and CRC, and mount evidence files of hard drives and CD-ROMs as local drives. It also includes the ability to boot the mounted drive in VMware. Many law enforcement groups throughout the world use EnCase. If an investigation might be handed over to the police or used in a court of law, you should consider using EnCase.
Technology Pathways’ ProDiscover Incident Response (IR) provides traditional and network forensic capabilities. This software has a remote agent with the ability to run in stealth mode, reducing the chance that the target will be alerted to the presence of the software. The deployed agent allows forensic investigators to collect and analyze a variety of data. It also has the ability to acquire a full image of the target. The live analysis supports capturing RAM in Windows Vista and Windows Server 2008. It also allows forensic investigators to search for pattern matches using wildcards.
ProDiscover IR contains a guide to assist users in programming the ProScript interface. This feature allows investigators to rapidly start common tasks.
ProDiscover IR is at the high end of the price range for forensic software and support is provided on a fee basis. The ProDiscover IR Web site contains forums, documentation, and downloads.
X-Ways Forensics (XWF) is a computer forensic environment that runs under Windows 2000/XP/2003/Vista*/2008*/7*, in 32 Bit and 64 Bit modes. Based on the WinHex hex and disk editor, XWF is able to run from external devices such as flash or external drives. It’s also useful for collaboration with forensic investigators using X-Ways Investigator. X-Ways Forensics’ features include, but are not limited to:
- Disk cloning and imaging
- Reading and partitioning file system structures inside raw (.dd) image files, ISO and VHD images
- Access to disks, RAIDs, and images more than 2 TB in size (more than 232 sectors) with sector sizes up to 4 KB
- Built-in interpretation of JBOD, RAID 0 and RAID 5 systems and dynamic disks
- Native support for a variety of file systems including FAT12, FAT16, FAT32, exFAT, TFAT, NTFS, ext2, ext3, Ext4, Next3, CDFS/ISO9660/Joliet, and UDF
- The ability to view and dump physical RAM and the virtual memory of running processes
- Several data recovery and file carving techniques
PDA, Mobile Phone, and Portable Device Tools
Mobile device forensics is concerned with recovering digital evidence from portable devices—mobile phones, BlackBerry devices, iPads, iPod Touch, and others—in a forensically sound manner. A mobile device is a digital device with internal memory that can communicate. Mobile devices may contain text and e-mail messages, contacts, locations, call records, photos, calendars, notes, and other types of personal information, or evidence. Such devices often possess several kinds of memory including volatile and nonvolatile memory, such as flash. They also have proprietary or custom interfaces, so the forensic process with such devices differs from computer forensics.
Device Seizure from Paraben acquires and analyzes cell phone, PDA, and GPS device data. Device Seizure supports a wide variety of cell phones and PDAs using the following Operating Systems: Palm through 6, Windows CE/Pocket PC/Mobile 4.x and earlier, BlackBerry 4.x and earlier, and Symbian 6.0. It also supports Garmin GPS devices.
Palm dd (pdd) is a Windows-based tool for Palm OS memory-imaging and forensic analysis. The Palm OS Console mode is used to capture memory card information and to create a bit-for-bit image of the selected memory region.
BitPim is a program that allows you to view and manipulate data on many CDMA phones from LG, Samsung, Sanyo, and other manufacturers. This includes most Qualcomm CDMA chipset-based phones.
Oxygen Forensic Suite 2010 is a mobile forensic software that supports over 1,800 devices and goes beyond standard logical analysis of cell phones, smartphones, and PDAs, enabling forensic investigators to extract more information and other data that is generally able to be retrieved using other mobile forensic tools.
Mobilyze was designed to forensically analyze iPhone, iPod Touch, and iPad devices. The product is capable of analyzing multiple devices simultaneously.
Zdziarski’s Forensics Guide for the iPhone provides a way to make a bit-by-bit copy of the original media. By analyzing the image this method provides, an examiner can discover a wealth of information that other tools can’t provide. Site access is freely available to full-time, active-duty law enforcement or military personnel tasked with mobile forensic imaging as part of their duties.
This is simply a list of the most common tools used to capture data for analysis. Remember that forensic tools come in many different shapes and sizes. Successful use of these tools stems from identifying the most appropriate tool for your environment, and becoming familiar with your tools before the need for an investigation arises.